VMware Patches Security Holes

Monday, October 21, 2013 @ 05:10 PM gHale

VMware released security patches that address multiple security vulnerabilities that have an impact on a series of its products, including ESX, ESXi, vCenter Server, vCenter Server Appliance, and vSphere Update Manager.

Some of the flaws can bypass security restrictions to elevate privileges, execute malicious code, or overwrite important files. Other bugs could lead to denial-of-service (DoS).

One of those vulnerabilities is a bug in vCenter Server 5.0 and 5.1 that could enable an attacker to bypass the need for valid credentials under some circumstances. In order to exploit the vulnerability, the affected product must be in an environment that uses Active Directory with anonymous LDAP binding enabled.

This type of setup doesn’t properly handle log-in credentials. The VMware advisory said, “In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account.”

The workaround is to discontinue the use of Active Directory anonymous LDAP binding if it ended up enabled.

Version 5.1 of VMware’s vCenter Server Appliance (vCSA) on Linux should be aware of two other vulnerabilities. The first is a remote code execution flaw that enables an attacker with stolen credentials to run existing files as root. The second vulnerability is within the Virtual Appliance Management Interface (VAMI), where an authenticated remote attacker can upload files to an arbitrary location thereby creating new files or overwriting existing files. According to the VMware advisory, replacing certain files could result in a denial-of-service condition.

Certain versions of VMware’s ESX and ESXi hypervisors (4.0, 4.1 and 5.0) are also affected. According to VMware, there is a flaw in the hostd-vmdb that could allow an attacker to cause a denial-of-service condition. In order to exploit this vulnerability, an attacker would need to intercept and modify the management traffic.

The advisory also identified a session fixation vulnerability in the vSphere Web Client Server through which an attacker could gain elevated privileges within the environment. However, exploiting this flaw may not prove easy as it requires some knowledge of the target user’s session. An attacker would have to know a valid session ID of an already authenticated user, VMware said.

In either instance, VMware said users can reduce the likelihood of these vulnerabilities from causing a problem by running vSphere components in an isolated management network to ensure that traffic does not end up intercepted.

VMware also updated a number of third-party libraries, such as OpenSSL, across several of its product lines including vCenter Server, ESX, and ESXi in order to resolve multiple security issues.

In a physical environment, hackers have to concentrate on hacking individual servers or individual applications to cause chaos. But in a virtualized environment, a hacker can sometimes get away with entry through a single point and gain access to everything.